I'm a technology, privacy, and information security reporter and most recently the author of the book This Machine Kills Secrets, a chronicle of the history and future of information leaks, from the Pentagon Papers to WikiLeaks and beyond.
I've covered the hacker beat for Forbes since 2007, with frequent detours into digital miscellania like switches, servers, supercomputers, search, e-books, online censorship, robots, and China. My favorite stories are the ones where non-fiction resembles science fiction. My favorite sources usually have the word "research" in their titles.
Since I joined Forbes, this job has taken me from an autonomous car race in the California desert all the way to Beijing, where I wrote the first English-language cover story on the Chinese search billionaire Robin Li for Forbes Asia. Black hats, white hats, cyborgs, cyberspies, idiot savants and even CEOs are welcome to email me at agreenberg (at) forbes.com. My PGP public key can be found here.

Disable This Buggy Feature On Your Router Now To Avoid A Serious Set Of Security Vulnerabilities

You’ve probably never checked whether your Internet router is set by default to use a harmless-sounding protocol called Universal Plug and Play. If it does, now’s a good time to turn it off.

The protocol, abbreviated UPnP, lets computers, printers, and other devices make themselves easily discoverable to a network router. But new research by the security firm Rapid7 shows that it could also let hackers easily discover and exploit those routers, too. And the problem is “universal,” indeed: A wide-ranging scan of the Internet show that it affects as many as 50 million unique devices.

On Tuesday security researcher Rapid7 released an advisory warning that UPnP allows the remote discovery of between 40 and 50 million UPnP routers, printers, servers and other machines. The company says that software bugs it found in three different implementations of the protocol affect 1,500 vendors and 6,900 different products, including some versions of routers sold by every major vendor, including Cisco’s Linksys division, Belkin, D-Link and Netgear. And while some of those bugs would merely allow affected devices to be temporarily disabled, at least 23 million of the devices are susceptible to full takeover by hackers, potentially becoming a jumping-off point for an attack on the victim’s network behind any firewall.

“We never expected this much UPnP to be exposed on the Internet,” says H.D. Moore, Rapid7′s chief security officer. “The scope of the exposure just blew us away.”

I’ve reached out to Cisco, Belkin, D-Link and Netgear for comment, but only heard back from D-Link, who declined to comment for now. I’ll update this post when I hear more.

Update: CERT has now issued a warning about the issue here, and Cisco has acknowledged the problem as well. It’s provided information about the UPnP vulnerability in its Linksys routers here and its non-Linksys equipment here. “Linksys is aware of the industry-wide UPnP library security vulnerability announced by the US CERT on January 29th,” a spokesperson writes. “We recommend Linksys customers visit our website to understand if their home router is affected, and learn how to disable UPnP through the user interface to avoid being impacted.”

“Given the high level of exposure and potential impact of a successful attack, Rapid7 strongly recommends that UPnP be disabled on all external-facing systems and devices providing a critical function,” the company’s advisory reads. Given that some home routers don’t allow the setting to be turned off, Moore suggests that Internet service providers may in some cases need to replace their users’ routers or push an update to their firmware before the issue can be addressed.

UPnP has long been considered a liability by network administrators because of its ability to offer a path through a corporate firewall to devices that use the protocol. The vulnerabilities in the protocol have persisted despitenumerouswarnings from security researchers and even a warning from the FBI about the protocol’s insecurity as early as 2001. But it hasn’t been clear until Rapid7′s scans, which took nearly six months to complete, just how many devices had the protocol enabled by default, or how many flaws in its code existed in real-world devices.

The most recent reminder of UPnP’s insecurity came last week, when a security researcher who goes by the name someLuser found that UPnP-enabled digital video recorders (DVRs) could be discovered and hijacked by hackers to watch or alter surveillance video, or even to use the DVR as an outpost for a further attack on the owner’s internal network. Rapid7′s Moore followed up on that finding by scanning the Internet and turning up 58,000 of the vulnerable DVRs, associated with 18 brands, that remain publicly exposed. At least two of the companies behind those products say they’re investigating the issue.

In discussions about the DVR insecurity Monday, readers on Slashdot voiced their own criticism of UPnP, arguing that any wise user had already disabled the protocol on their router. “Is there really anyone in the world who hasn’t turned this monstrous security hole off yet?,” asked one commenter.

The answer, based on Rapid7′s data, seems to be that there are at least several tens of millions who haven’t. Now’s their chance.

For the full technical details of Rapid7′s UPnP security findings and their implications, read its full whitepaper here.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.